Encryption
- Metadata is never encrypted
- Server Side (SSE)
- Possible to enforce with bucket policy (only encrypted data can be uploaded)
- SSE-S3
- S3 manages keys (AES-256)
- SSE-KMS
- More flexible than SSE-S3 but additional charges (for KMS)
- Customer can manage or use default KMS key generated for him (aws/s3)
- ETag is not MD5 hash anymore (as it would be security hole)
- Headers
- x-amz-server-side-encryption = aws:kms
- x-amz-server-side-encryption-aws-kms-key-id
- x-amz-server-side-encryption-context (do not use sensitive data here)
- SSE-C
- Customer provides the key
- Different objects(versions) may have different key
- Headers
x-amz-server-side-encryption-customer-algorithm = AES256x-amz-server-side-encryption-customer-keyx-amz-server-side-encryption-customer-key-MD5
- Client Side (CSE)
- Can be used to store sensitive configuration
- Integrates with KMS
- Encryption is opaque to S3
Permissions
- Places where you setup access permissions
- Bucket Policy
- Max 20 kB
- ACL
- Bucket ACL
- Object ACL
- User IAM Policy
- Authorities
- Parent Account Owner
- Bucket Account Owner
- Object Account Owner
- User Context
- Only when IAM user
- Bucket Context
- Object Context
- Bucket Account Owner can deny access
ACL
- Bucket and object level
- Default ACL: grants owner full permissions
- Max 100 grants per ACL
- Grantee
- AWS account
- can be identified by email address
- Cannot grant permissions to IAM users
- Predefined AWS Group
- Authenticated Users (all AWS accounts) - must have Authentication header
- All Users (includes Anonymous)
- Log Delivery Group (WRITE permission enables storing S3 logs)
- Permissions
- READ
- Bucket
- ListBucket, ListBucketVersions, ListBucketMultiPartUploads
- Object
- GetObject, GetObjectVersion, GetObjectTorrent
- WRITE
- Bucket
- PutObject, DeleteObject, DeleteObjectVersion (only when grantee is owner)
- READ_ACP (read bucket/object ACL)
- Bucket
- GetBucketACL
- Object
- GetObjectACL, GetObjectACLVersion
- WRITE_ACP (change bucket/object ACL)
- Bucket
- PutBucketACL
- Object
- PutObjectACL
- Canned ACL (predefined grants)
- private
- public-read
- public-read-write
- aws-exec-read
- authenticated-read
- bucket-owner-read
- bucket-owner-fullcontrol
- log-delivery-write
- Use cases
- Generally prefer Bucket Policy and IAM policy (ACL is legacy mechanism)
- LogDeliveryGroup must use ACL
- Bucket Policy limit reached (20kb)
- Wide variety of permissions on objects (cannot be captured by policy easily)
Pre-signed urls
- Example
https://s3.amazonaws.com/examplebucket/test.txt ?X-Amz-Algorithm=AWS4-HMAC-SHA256 &X-Amz-Credential=<your-access-key-id>/20130721/us-east-1/s3/aws4_request &X-Amz-Date=20130721T201207Z &X-Amz-Expires=86400 &X-Amz-SignedHeaders=host &X-Amz-Signature=<signature-value>
- Uploading encrypted object
- SSE-KMS
- SSE-S3
- SSE-C (customer specified key)
- restricts that upload to specific encryption key
- Use cases
- Temporary access to a file (max 7 days)
- Upload to a bucket without having any AWS credentials
- Communication mechanism in CloudFormation
- Signaling
- CreatePolicy - Signalling
- WaitCondition/WaitHandle
- Generating
- Anyone with valid security credentials can create pre-signed url
- It will only work if my permissions actually allow to upload (otherwise there would be privilage escalation)
- Java SDK supports creation
CORS
- Cross-origin access to mitigate JavaScript SOP restrictions
- Preflight (OPTIONS) request to determine access rights
- Configured on bucket
- CORSRule
- Allowed Origin (i.e. requestor domain)
- Allowed Methods (GET, PUT, POST, ...)
- Allowed Headers (in the preflight request which headers requestor may ask for)
- Expose Headers (which headers can be read on the client side)
- MaxAgeInSeconds - how long preflight response can be cached
- Use Cases
- Auto-complete
- Drag'n'Drop upload to S3
- Upload progress
- Update content directly from JS
- Serving Web Fonts
No comments:
Post a Comment